Overclock.net - An Overclocking Community

Overclock.net - An Overclocking Community (https://www.overclock.net/forum/)
-   Hardware News (https://www.overclock.net/forum/225-hardware-news/)
-   -   [PCM]Qualcomm Chip Bug Poses Risk to App Account Security (https://www.overclock.net/forum/225-hardware-news/1724908-pcm-qualcomm-chip-bug-poses-risk-app-account-security.html)

dagget3450 04-25-2019 07:15 AM

[PCM]Qualcomm Chip Bug Poses Risk to App Account Security
 
Didn't see this posted:

Quote:

A security bug has been uncovered in dozens of Qualcomm chipsets that could pave way for Android malware capable of stealing access to your online accounts.

"However, if an attacker uses this vulnerability to steal the key pair, the attacker can impersonate the user's device from anywhere in the world, and the user cannot stop it by powering down or destroying their device," Ryan told PCMag.

The attacker also doesn't need physical access to the Qualcomm-powered device to extract the keys. What's necessary is root access to the phone, which could be achieved by getting malware on to the device.
Source: https://www.pcmag.com/news/367970/qu...count-security
Discuss!

ToTheSun! 04-25-2019 07:32 AM

Can't use Huawei because China.

Can't use Snapdragon phones because security.

Can't use Samsung because house fires.

Back to 3310?

EniGma1987 04-25-2019 08:23 AM

This doesnt matter at all.
1) it was already patched
2) requires root access which is disabled by default unless the user specifically unlocks their phone
3) requires the user to (inadvertently) install malware on their device with root access

epic1337 04-25-2019 08:33 AM

Quote:

Originally Posted by ToTheSun! (Post 27945228)
Can't use Huawei because China.

Can't use Snapdragon phones because security.

Can't use Samsung because house fires.

Back to 3310?

Intel powered phones. :h34r-smi

or you could always go Apple... :laugher:

WannaBeOCer 04-25-2019 08:46 AM

Quote:

Originally Posted by epic1337 (Post 27945302)
Intel powered phones. :h34r-smi

or you could always go Apple... :laugher:

Their SoC is pretty impressive but I don't like iOS then again I never gave it a fair chance.

ToTheSun! 04-25-2019 09:38 AM

Quote:

Originally Posted by EniGma1987 (Post 27945290)
3) requires the user to (inadvertently) install malware on their device with root access

As opposed to that relevant portion of the population that installs malware advertently.

rluker5 04-25-2019 11:47 AM

Quote:

Originally Posted by epic1337 (Post 27945302)
Intel powered phones. :h34r-smi

or you could always go Apple... :laugher:

T5c is still selling for $100. Which is a fair price for that phone.

JackCY 04-25-2019 12:04 PM

Mediatek. But then all hardware always has some issue or flaw.

Avonosac 04-25-2019 01:20 PM

Quote:

Originally Posted by EniGma1987 (Post 27945290)
This doesnt matter at all.
Spoiler!

3) requires the user to (inadvertently) install malware on their device with root access

Um... You are dramatically underselling the risk here.

1. Android updates are extremely bifurcated and unreliable unless you have a google phone.
2. There are known methods to attain this on all versions of android except the current security patched version. This statement is 100% security by obscurity.
3. Already has a slightly better than .7% chance just by using certified apps in the play store. This is completely ignoring fully targeted or group targeted attacks which can raise the success rate to 100% rather easily. At last count in 2017 there was 2B+ android devices, so that means if all of them were Qualcomm based (which given their share isn't a huge hypothetical) at least 14 million devices are vulnerable to this attack, this number goes up dramatically when you include apps from other legitimate stores with far worse security than Play.

The problem with everything I stated in #3 is that it's very likely high net worth people would be targeted for this because you're only going to want to invest effort to attack people with value, which makes a targeted attack far more likely, which makes the success of this extraction far more likely. Extracting the private key of the device completely eliminates the security of that device which no software update can fix, you quite literally need to buy a new phone and destroy all previous authentication tokens created by it to begin using any of your connected accounts safely.

xJumper 04-26-2019 01:27 PM

Quote:

Originally Posted by EniGma1987 (Post 27945290)
This doesnt matter at all.
1) it was already patched
2) requires root access which is disabled by default unless the user specifically unlocks their phone
3) requires the user to (inadvertently) install malware on their device with root access

Basically this. Rule #1 of sysadmin'ing, if something wants root that has no business using root somethings wrong.

Quote:

Originally Posted by ToTheSun! (Post 27945394)
As opposed to that relevant portion of the population that installs malware advertently.

While the average persons Android phone is bogged down with spyware and adware but there's nothing "wrong" with that really, all the apps are still running within the SELinux permission environment that they are supposed to. Very few pieces of malware actually gain root on the phone.

Quote:

Originally Posted by Avonosac (Post 27945580)
Um... You are dramatically underselling the risk here.
1. Android updates are extremely bifurcated and unreliable unless you have a google phone.

Custom rom guys get updates as fast if not faster than Google phones, some even get daily nightly builds. This is why I encourage people to look into this, it's one of the most important things you can do to increase your security in the mobile world. Nevertheless the situation for stock OEM phones except Googles does suck and manufactures need to be held accountable for that, it's unacceptable that the going rate in the Android world is a security patch every 6 months from the OEM for a grand total of 2-3 since launch day and then support just gets cut.

Quote:

Originally Posted by Avonosac (Post 27945580)
2. There are known methods to attain this on all versions of android except the current security patched version. This statement is 100% security by obscurity.

There's very few in the wild root exploits on the last say three versions of Android. There's a reason why there isn't and hasn't really been any "one click root" solutions since maybe Android 5. In the past those "one click" root solutions are basically apps that you would install that would have kernel/OS vulnerabilities built in and would exploit it to gain you root access. It's a pain in the rear to root your phone now, you need unlocked bootloaders, custom recoveries and a bunch of .zip files to flash. It's not something that can be done by mistake or by an app running in Android userland.

The few actual userland one click style root exploits nowadays are usually day-zero government stuff, the kind you see where they send some link/picture though SMS to a journalist, it auto-roots the phone and then installs a giant spyware package the controls the whole thing.

Quote:

Originally Posted by Avonosac (Post 27945580)
3. Already has a slightly better than .7% chance just by using certified apps in the play store. This is completely ignoring fully targeted or group targeted attacks which can raise the success rate to 100% rather easily. At last count in 2017 there was 2B+ android devices, so that means if all of them were Qualcomm based (which given their share isn't a huge hypothetical) at least 14 million devices are vulnerable to this attack, this number goes up dramatically when you include apps from other legitimate stores with far worse security than Play.

You would still need to willingly download a crapware app and install it AND give it root access (which the average person does not have) unless it had some day-zero root exploit built into it. What are the odds that some specific person you are targeting is gonna be looking for that particular app where you have wasted a very valuable day-zero root exploit on and download/install it.

With that being said though, Google play is crap hole filled with garbage and malware, the standards to get on it are really lax as is shown by their willingness to host adware filled apps that push ads from known malware domains. Using something like F-Droid exclusively can really step up your security on Android. The average app from the Play store (even so called "certified" ones), I run TCP dump and it shows mountains of data exfiltrating my phone and random connections to all sorts of random servers happening. Apps from F-Droid do exactly what they say they will, use the permissions they say they use and that's it.

Quote:

Originally Posted by Avonosac (Post 27945580)
The problem with everything I stated in #3 is that it's very likely high net worth people would be targeted for this because you're only going to want to invest effort to attack people with value, which makes a targeted attack far more likely, which makes the success of this extraction far more likely. Extracting the private key of the device completely eliminates the security of that device which no software update can fix, you quite literally need to buy a new phone and destroy all previous authentication tokens created by it to begin using any of your connected accounts safely.

Unless there's something I missed this still requires user intervention to happen. I haven't seen them demonstrate some government level exploit where they can remotely push it to your phone, you still need to do something.

All in all this is why you shouldn't use any "all in one" token style authentication systems. Having a password manager app with an encrypted db file would only be marginally less convenience to use yet wouldn't be susceptible to some irrecoverable hardware flaw.


All times are GMT -7. The time now is 06:05 AM.

Powered by vBulletin® Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.

User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
vBulletin Security provided by vBSecurity (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.

vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.